CMSC 858K Introduction to Secure Computation October 18, Lecture 19
|
|
- Naomi Todd
- 5 years ago
- Views:
Transcription
1 CMSC 858K Introduction to Secure Computation October 18, 2013 Lecturer: Jonathan Katz Lecture 19 Scribe(s): Alex J. Malozemoff 1 Zero Knowledge Variants and Results Recall that a proof-of-knowledge (PoK) is a protocol between a prover P and verifier V with the property that there exists a knowledge extractor K which can extract a witness from P in the case that V accepts. In this definition, we assume the prover is all-powerful, i.e., has no bound on its running time. We can weaken this notion by considering an argument-of-knowledge (AoK), which is defined equivalently to a PoK except the prover runs in polynomial time. We will demonstrate a constant-round ZKAoK (due to Feige and Shamir [FS89]) later in this lecture. 1 Using our constant-round ZKAoK protocol, we can achieve a constant-round coin-tossing protocol (due to Lindell [Lin03]). Finally, we can combine these results to achieve two-party computation with malicious security from any semi-honest protocol, and thus we get constant-round maliciously-secure two-party computation. 2 Witness Indistinguishability Before proceeding to our constant-round ZKAoK protocol, we need to discuss the notion of witness indistinguishability (WI). A protocol is witness-indistinguishable if a malicious verifier cannot distinguish which witness a prover is using. More formally: Definition 1 A protocol execution P, V is witness-indistinguishable if for all x, w 1, w 2 such that (x, w 1 ), (x, w 2 ) R L and for all polynomial time (malicious) verifiers V, } View V } P (x,w 1 ),V (x) (1k ) View V P (x,w 2 ),V (x) (1k ). Clearly ZK implies WI: } A ZK proof implies that there exists a simulator S such that View V P (x,w 1 ),V (x) (1k ) S(x)} and View V P (x,w 2 ),V (x) )} (1k S(x)}. We can also show that WI is preserved under parallel composition (by a standard hybrid argument). This implies the following corollary: Corollary 1 k-fold parallel repetition of the ZK proof for graph Hamiltonicity from Lecture 16 is a WIPoK with soundness error 2 k. 1 Besides having constant round ZKAoKs, we also have constant round ZKPoKs (due to Goldreich and Kahan [GK96]). However, we do not discuss this result further. 19-1
2 3 Constant-round ZKAoK We now show the Feige-Shamir protocol for constant-round ZKAoKs [FS89]. Let f be a one-way function. Feige-Shamir Protocol for Constant-round ZKAoKs P (x, w) V (x) y 1, y 2 r 1, r 2 0, 1} n WIPoK(f 1 (y 1 ) or f 1 (y 2 )) WIPoK(f 1 (y 1 ) or f 1 (y 2 ) or x L) y i = f(r i ) Theorem 2 The above protocol is a ZKAoK. Proof We prove this in two steps. We first show that the protocol is a ZK proof, and then we show that it is an AoK. Claim 3 The above protocol is a ZK proof. Let V be a cheating verifier. We construct a simulator S as follows: 1. Receive y 1, y 2 from V. Simulator S for V 2. Verify the PoK from V. If the proof fails, then abort. Otherwise, extract r such that f(r) y 1, y 2 }. 3. Run the final proof as an honest prover would, using witness r. It is easy to see that this simulator is computationally indistinguishable from the real execution by the WI property. Claim 4 The above protocol is an argument-of-knowledge. Let P be a (polynomial-time) cheating prover, and let K be the knowledge extractor that exists for the WIPoK of the statement f 1 (y i ) or f 1 (y 2 ) or x L. We construct a knowledge extractor K as follows: Knowledge Extractor K 1. Choose r 1, r 2 0, 1} k and compute y i = f(r i ) for i 1, 2}. 2. Run the (first) WIPoK using witness r If P succeeds in its WIPoK, then run K to extract either an r such that f(r) y 1, y 2 } or a witness w such that (x, w) R L. 19-2
3 If we can show that K does not extract an r such that f(r) y 1, y 2 } except with negligible probability, then this implies that K successfully extracts a witness w such that (x, w) R L except with negligible probability. Indeed, say K extracts r with f(r) y 1, y 2 } with probability p. Let p 1 be the probability that f(r) = y 1 and let p 2 be the probability that f(r) = y 2. Suppose p 1 is non-negligible. We can turn this into an attack on f as follows: Construct an attacker which, given y 1, chooses r 2 0, 1} k and sets y 2 = f(r 2 ), runs Step 2 of K with r 2 as the witness, and then runs Step 3 of K to extract f 1 (y 1 ). This attack succeeds with probability p 1 and thus p 1 must be negligible. Now, suppose p 2 is non-negligible. Let K be the same as K, except it uses witness r 1 in Step 2 instead of r 2, and let p 2 be the probability that K extracts r with f(r) = y 2 when used by K. By the WI property, it must be the case that p 2 p 2 is negligible. Now, a similar attack to the one described in the previous paragraph shows that p 2 must be negligible. Thus, K extracts r with f(r) y 1, y 2 } with negligible probability, completing the proof. 4 Constant-round Coin Tossing We can define the (two-party) coin-tossing functionality, F ct, as follows: Functionality F ct 0, 1} k Output: The functionality computes r 0, 1} k and outputs r to both parties. Now, consider the following protocol for realizing F ct : Coin-tossing Candidate Protocol #1 P 1 P 2 r 1 0, 1} k com(r 1 ) r 2 r2 0, 1} k r Output r 1 r 1, decom(com(r 1 )) 2 Output r 1 r 2 The problem is that this protocol, while it intuitively looks secure, is not simulatable when k is the security parameter (the protocol is in fact secure if k is some small fixed constant, such as 1). Consider the case of a malicious P 2 who sets r 2 to be some function of the commitment sent by P 1. The simulator is thus unable to fix r 1 such that r 1 r 2 = r for some uniformly chosen r, since r 2 depends on r 1. Thus, we modify this protocol by adding ZKAoKs such that P 1 proves knowledge of the committed value, allowing this value to be extracted by the simulator: 19-3
4 Coin-tossing Protocol P 1 P 2 r 1 0, 1} k com(r 1 ) ZKAoK that r 1 is the committed value r 2 r2 0, 1} k r 1 ZK argument that initial commitment was to r 1 Output r 1 r 2 Output r 1 r 2 We now prove that this protocol, due to Lindell [Lin03], securely realizes the F ct functionality. Proof Let P2 be a malicious party playing the part of P 2 in the coin-tossing protocol. We construct a simulator S for P2 as follows. Simulator S for P2 1. Query F ct, receiving back r. 2. Compute com(0) and send it to P2. 3. Simulate the ZKAoK about the validity of the previously sent commitment. 4. Receive r 2 from P2. 5. Send r 1 = r 2 r to P2. 6. Simulate the ZK argument that the initial commitment was to r 1. The proof is straightforward but involved; see [Lin03] for the details. We now show a simulator S for a malicious P 1. Simulator S for P1 1. Query F ct, receiving back r. 2. Receive a commitment from P1. 3. Verify the ZKAoK from P1 and extract r Send r 2 = r 1 r to P1. 5. Receive r 1 from P1. 6. Verify P1 s ZK argument, and thus r 1 = r 1 with high probability. Again, the proof is straightforward but involved; see [Lin03]. 19-4
5 References [FS89] Uriel Feige and Adi Shamir. Zero knowledge proofs of knowledge in two rounds. In Gilles Brassard, editor, Advances in Cryptology CRYPTO 89, volume 435 of Lecture Notes in Computer Science, pages , Santa Barbara, CA, USA, August 20 24, Springer, Berlin, Germany. [GK96] Oded Goldreich and Ariel Kahan. How to construct constant-round zero-knowledge proof systems for NP. Journal of Cryptology, 9(3): , [Lin03] Yehuda Lindell. Parallel coin-tossing and constant-round secure two-party computation. Journal of Cryptology, 16(3): , June
Lecture 3,4: Universal Composability
6.897: Advanced Topics in Cryptography Feb 5, 2004 Lecture 3,4: Universal Composability Lecturer: Ran Canetti Scribed by: Yael Kalai and abhi shelat 1 Introduction Our goal in these two lectures is to
More informationLecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension
CS 294 Secure Computation February 16 and 18, 2016 Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension Instructor: Sanjam Garg Scribe: Alex Irpan 1 Overview Garbled circuits
More informationLecture Notes 20: Zero-Knowledge Proofs
CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Lecture Notes 20: Zero-Knowledge Proofs Reading. Katz-Lindell Ÿ14.6.0-14.6.4,14.7 1 Interactive Proofs Motivation: how can parties
More informationSession 4: Efficient Zero Knowledge. Yehuda Lindell Bar-Ilan University
Session 4: Efficient Zero Knowledge Yehuda Lindell Bar-Ilan University 1 Proof Systems Completeness: can convince of a true statement Soundness: cannot convince for a false statement Classic proofs: Written
More informationParallel Coin-Tossing and Constant-Round Secure Two-Party Computation
Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation Yehuda Lindell Dept. of Computer Science and Applied Math. The Weizmann Institute of Science Rehovot 76100, Israel. lindell@wisdom.weizmann.ac.il
More informationSimulation in Quasi-Polynomial Time, and Its Application to Protocol Composition
Simulation in Quasi-Polynomial Time, and Its Application to Protocol Composition Rafael Pass Department of Numerical Analysis and Computer Science, Royal Institute of Technology, 100 44 Stockholm, Sweden.
More informationMTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Zero-knowledge Proofs Sven Laur University of Tartu Formal Syntax Zero-knowledge proofs pk (pk, sk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) (pk,sk)? R
More informationDelayed-Input Non-Malleable Zero Knowledge and Multi-Party Coin Tossing in Four Rounds
Delayed-Input Non-Malleable Zero Knowledge and Multi-Party Coin Tossing in Four Rounds Michele Ciampi DIEM Università di Salerno ITALY mciampi@unisa.it Rafail Ostrovsky UCLA Los Angeles rafail@cs.ucla.edu
More informationCMSC 858K Advanced Topics in Cryptography March 4, 2004
CMSC 858K Advanced Topics in Cryptography March 4, 2004 Lecturer: Jonathan Katz Lecture 12 Scribe(s): Omer Horvitz Zhongchao Yu John Trafton Akhil Gupta 1 Introduction Our goal is to construct an adaptively-secure
More informationDistinguisher-Dependent Simulation in Two Rounds and its Applications
Distinguisher-Dependent Simulation in Two Rounds and its Applications Abhishek Jain Yael Tauman Kalai Dakshita Khurana Ron Rothblum Abstract We devise a novel simulation technique that makes black-box
More informationLecture 18: Zero-Knowledge Proofs
COM S 6810 Theory of Computing March 26, 2009 Lecture 18: Zero-Knowledge Proofs Instructor: Rafael Pass Scribe: Igor Gorodezky 1 The formal definition We intuitively defined an interactive proof to be
More informationNon-Interactive ZK:The Feige-Lapidot-Shamir protocol
Non-Interactive ZK: The Feige-Lapidot-Shamir protocol April 20, 2009 Remainders FLS protocol Definition (Interactive proof system) A pair of interactive machines (P, V ) is called an interactive proof
More informationNotes on Zero Knowledge
U.C. Berkeley CS172: Automata, Computability and Complexity Handout 9 Professor Luca Trevisan 4/21/2015 Notes on Zero Knowledge These notes on zero knowledge protocols for quadratic residuosity are based
More informationResettable Cryptography in Constant Rounds the Case of Zero Knowledge
Resettable Cryptography in Constant Rounds the Case of Zero Knowledge Yi Deng Dengguo Feng Vipul Goyal Dongdai Lin Amit Sahai Moti Yung NTU Singapore and SKLOIS, Institute of Software, CAS, China MSR India
More informationLecture 3: Interactive Proofs and Zero-Knowledge
CS 355 Topics in Cryptography April 9, 2018 Lecture 3: Interactive Proofs and Zero-Knowledge Instructors: Henry Corrigan-Gibbs, Sam Kim, David J. Wu So far in the class, we have only covered basic cryptographic
More informationLecture 15 - Zero Knowledge Proofs
Lecture 15 - Zero Knowledge Proofs Boaz Barak November 21, 2007 Zero knowledge for 3-coloring. We gave a ZK proof for the language QR of (x, n) such that x QR n. We ll now give a ZK proof (due to Goldreich,
More informationON DEFINING PROOFS OF KNOWLEDGE IN THE BARE PUBLIC-KEY MODEL
1 ON DEFINING PROOFS OF KNOWLEDGE IN THE BARE PUBLIC-KEY MODEL GIOVANNI DI CRESCENZO Telcordia Technologies, Piscataway, NJ, USA. E-mail: giovanni@research.telcordia.com IVAN VISCONTI Dipartimento di Informatica
More informationLecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations
CMSC 858K Advanced Topics in Cryptography April 20, 2004 Lecturer: Jonathan Katz Lecture 22 Scribe(s): agaraj Anthapadmanabhan, Ji Sun Shin 1 Introduction to These otes In the previous lectures, we saw
More informationStatistical WI (and more) in Two Messages
Statistical WI (and more) in Two Messages Yael Tauman Kalai MSR Cambridge, USA. yael@microsoft.com Dakshita Khurana UCLA, USA. dakshita@cs.ucla.edu Amit Sahai UCLA, USA. sahai@cs.ucla.edu Abstract Two-message
More informationImproved OR-Composition of Sigma-Protocols
Improved OR-Composition of Sigma-Protocols Michele Ciampi 1, Giuseppe Persiano 2, Alessandra Scafuro 3, Luisa Siniscalchi 1, and Ivan Visconti 1 1 DIEM, University of Salerno, ITALY {mciampi,lsiniscalchi,visconti}@unisa.it
More information1 Recap: Interactive Proofs
Theoretical Foundations of Cryptography Lecture 16 Georgia Tech, Spring 2010 Zero-Knowledge Proofs 1 Recap: Interactive Proofs Instructor: Chris Peikert Scribe: Alessio Guerrieri Definition 1.1. An interactive
More informationRound-Optimal Fully Black-Box Zero-Knowledge Arguments from One-Way Permutations
Round-Optimal Fully Black-Box Zero-Knowledge Arguments from One-Way Permutations Carmit Hazay 1 and Muthuramakrishnan Venkitasubramaniam 2 1 Bar-Ilan University 2 University of Rochester Abstract. In this
More informationAugmented Black-Box Simulation and Zero Knowledge Argument for NP
Augmented Black-Box Simulation and Zero Knowledge Argument for N Li Hongda, an Dongxue, Ni eifang The Data Assurance and Communication Security Research Center, School of Cyber Security, University of
More informationConstant-round Leakage-resilient Zero-knowledge from Collision Resistance *
Constant-round Leakage-resilient Zero-knowledge from Collision Resistance * Susumu Kiyoshima NTT Secure Platform Laboratories, Tokyo, Japan kiyoshima.susumu@lab.ntt.co.jp August 20, 2018 Abstract In this
More informationAn Efficient Transform from Sigma Protocols to NIZK with a CRS and Non-Programmable Random Oracle
An Efficient Transform from Sigma Protocols to NIZK with a CRS and Non-Programmable Random Oracle Yehuda Lindell Dept. of Computer Science Bar-Ilan University, Israel lindell@biu.ac.il September 6, 2015
More informationZero-Knowledge Against Quantum Attacks
Zero-Knowledge Against Quantum Attacks John Watrous Department of Computer Science University of Calgary January 16, 2006 John Watrous (University of Calgary) Zero-Knowledge Against Quantum Attacks QIP
More informationA Note on Negligible Functions
Appears in Journal of Cryptology Vol. 15, 2002, pp. 271 284. Earlier version was Technical Report CS97-529, Department of Computer Science and Engineering, University of California at San Diego, March
More informationConcurrent Non-malleable Commitments from any One-way Function
Concurrent Non-malleable Commitments from any One-way Function Margarita Vald Tel-Aviv University 1 / 67 Outline Non-Malleable Commitments Problem Presentation Overview DDN - First NMC Protocol Concurrent
More informationRound-Efficient Multi-party Computation with a Dishonest Majority
Round-Efficient Multi-party Computation with a Dishonest Majority Jonathan Katz, U. Maryland Rafail Ostrovsky, Telcordia Adam Smith, MIT Longer version on http://theory.lcs.mit.edu/~asmith 1 Multi-party
More informationHow to Go Beyond the Black-Box Simulation Barrier
How to Go Beyond the Black-Box Simulation Barrier Boaz Barak December 30, 2008 Abstract The simulation paradigm is central to cryptography. A simulator is an algorithm that tries to simulate the interaction
More informationLecture 15: Interactive Proofs
COM S 6830 Cryptography Tuesday, October 20, 2009 Instructor: Rafael Pass Lecture 15: Interactive Proofs Scribe: Chin Isradisaikul In this lecture we discuss a new kind of proofs that involves interaction
More informationOn Constant-Round Concurrent Zero-Knowledge
On Constant-Round Concurrent Zero-Knowledge Rafael Pass and Muthuramakrishnan Venkitasubramaniam Cornell University, {rafael,vmuthu}@cs.cornell.edu Abstract. Loosely speaking, an interactive proof is said
More informationLecture Notes 17. Randomness: The verifier can toss coins and is allowed to err with some (small) probability if it is unlucky in its coin tosses.
CS 221: Computational Complexity Prof. Salil Vadhan Lecture Notes 17 March 31, 2010 Scribe: Jonathan Ullman 1 Interactive Proofs ecall the definition of NP: L NP there exists a polynomial-time V and polynomial
More informationImpossibility and Feasibility Results for Zero Knowledge with Public Keys
Impossibility and Feasibility Results for Zero Knowledge with Public Keys Joël Alwen 1, Giuseppe Persiano 2, and Ivan Visconti 2 1 Technical University of Vienna A-1010 Vienna, Austria. e9926980@stud3.tuwien.ac.at
More informationOn Achieving the Best of Both Worlds in Secure Multiparty Computation
On Achieving the Best of Both Worlds in Secure Multiparty Computation Yuval Ishai Jonathan Katz Eyal Kushilevitz Yehuda Lindell Erez Petrank Abstract Two settings are traditionally considered for secure
More informationConstant-Round Concurrently-Secure rzk in the (Real) Bare Public-Key Model
Electronic Colloquium on Computational Complexity, Report No. 48 (2005) Constant-Round Concurrently-Secure rzk in the (Real) Bare Public-Key Model Moti Yung Yunlei Zhao Abstract We present constant-round
More informationLecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge
CMSC 858K Advanced Topics in Cryptography February 12, 2004 Lecturer: Jonathan Katz Lecture 6 Scribe(s): Omer Horvitz John Trafton Zhongchao Yu Akhil Gupta 1 Introduction In this lecture, we show how to
More information6.897: Selected Topics in Cryptography Lectures 11 and 12. Lecturer: Ran Canetti
6.897: Selected Topics in Cryptography Lectures 11 and 12 Lecturer: Ran Canetti Highlights of last week s lectures Formulated the ideal commitment functionality for a single instance, F com. Showed that
More informationInteractive Zero-Knowledge with Restricted Random Oracles
Interactive Zero-Knowledge with Restricted Random Oracles Moti Yung 1 and Yunlei Zhao 2 1 RSA Laboratories and Department of Computer Science, Columbia University, New York, NY, USA. moti@cs.columbia.edu
More informationA Full Characterization of Functions that Imply Fair Coin Tossing and Ramifications to Fairness
A Full Characterization of Functions that Imply Fair Coin Tossing and Ramifications to Fairness Gilad Asharov Yehuda Lindell Tal Rabin February 25, 2013 Abstract It is well known that it is impossible
More informationFang Song. Joint work with Sean Hallgren and Adam Smith. Computer Science and Engineering Penn State University
Fang Song Joint work with Sean Hallgren and Adam Smith Computer Science and Engineering Penn State University Are classical cryptographic protocols secure against quantum attackers? 2 Are classical cryptographic
More informationThe Knowledge-of-Exponent Assumptions and 3-Round Zero-Knowledge Protocols
The Knowledge-of-Exponent Assumptions and 3-Round Zero-Knowledge Protocols Mihir Bellare and Adriana Palacio Dept. of Computer Science & Engineering, University of California, San Diego 9500 Gilman Drive,
More informationHow many rounds can Random Selection handle?
How many rounds can Random Selection handle? Shengyu Zhang Abstract The construction of zero-knowledge proofs can be greatly simplified if the protocol is only required be secure against the honest verifier.
More informationOn the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner 1, Alon Rosen 2, and Ronen Shaltiel 3 1 Microsoft Research, New England Campus. iftach@microsoft.com 2 Herzliya Interdisciplinary
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationConcurrent Knowledge Extraction in the Public-Key Model
Concurrent Knowledge Extraction in the Public-Key Model Andrew C. Yao Moti Yung Yunlei Zhao Abstract Knowledge extraction is a fundamental notion, modeling machine possession of values (witnesses) in a
More informationOn The (In)security Of Fischlin s Paradigm
On The (In)security Of Fischlin s Paradigm Prabhanjan Ananth 1, Raghav Bhaskar 1, Vipul Goyal 1, and Vanishree Rao 2 1 Microsoft Research India prabhanjan.va@gmail.com,{rbhaskar,vipul}@microsoft.com 2
More informationNotes for Lecture 27
U.C. Berkeley CS276: Cryptography Handout N27 Luca Trevisan April 30, 2009 Notes for Lecture 27 Scribed by Madhur Tulsiani, posted May 16, 2009 Summary In this lecture we begin the construction and analysis
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationA Framework for Non-Interactive Instance-Dependent Commitment Schemes (NIC)
A Framework for Non-Interactive Instance-Dependent Commitment Schemes (NIC) Bruce Kapron, Lior Malka, Venkatesh Srinivasan Department of Computer Science University of Victoria, BC, Canada V8W 3P6 Email:bmkapron,liorma,venkat@cs.uvic.ca
More informationAbstract. Often the core diculty in designing zero-knowledge protocols arises from having to
Interactive Hashing Simplies Zero-Knowledge Protocol Design Rafail Ostrovsky Ramarathnam Venkatesan y Moti Yung z (Extended abstract) Abstract Often the core diculty in designing zero-knowledge protocols
More informationProbabilistically Checkable Arguments
Probabilistically Checkable Arguments Yael Tauman Kalai Microsoft Research yael@microsoft.com Ran Raz Weizmann Institute of Science ran.raz@weizmann.ac.il Abstract We give a general reduction that converts
More informationHow to Go Beyond the Black-Box Simulation Barrier
How to Go Beyond the Black-Box Simulation Barrier Boaz Barak Department of Computer Science, Weizmann Institute of Science Rehovot, ISRAEL boaz@wisdom.weizmann.ac.il November 13, 2001 Abstract The simulation
More informationCryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1
Cryptography CS 555 Topic 23: Zero-Knowledge Proof and Cryptographic Commitment CS555 Topic 23 1 Outline and Readings Outline Zero-knowledge proof Fiat-Shamir protocol Schnorr protocol Commitment schemes
More informationImproved OR Composition of Sigma-Protocols
Improved OR Composition of Sigma-Protocols Michele Ciampi DIEM Università di Salerno ITALY mciampi@unisa.it Giuseppe Persiano DISA-MIS Università di Salerno ITALY giuper@gmail.com Luisa Siniscalchi DIEM
More informationThe Knowledge-of-Exponent Assumptions and 3-Round Zero-Knowledge Protocols
A preliminary version of this paper appeared in Advances in Cryptology CRYPTO 04, Lecture Notes in Computer Science ol.??, M. Franklin ed., Springer-erlag, 2004. This is the full version. The Knowledge-of-Exponent
More informationComplete Fairness in Multi-Party Computation Without an Honest Majority
Complete Fairness in Multi-Party Computation Without an Honest Maority S. Dov Gordon Jonathan Katz Abstract Gordon et al. recently showed that certain (non-trivial) functions can be computed with complete
More informationComplete Fairness in Multi-Party Computation Without an Honest Majority
Complete Fairness in Multi-Party Computation Without an Honest Maority Samuel Dov Gordon Abstract A well-known result of Cleve shows that complete fairness is impossible, in general, without an honest
More informationThe Round-Complexity of Black-Box Zero-Knowledge: A Combinatorial Characterization
The Round-Complexity of Black-Box Zero-Knowledge: A Combinatorial Characterization Daniele Micciancio and Scott Yilek Dept. of Computer Science & Engineering, University of California, San Diego 9500 Gilman
More informationInaccessible Entropy and its Applications. 1 Review: Psedorandom Generators from One-Way Functions
Columbia University - Crypto Reading Group Apr 27, 2011 Inaccessible Entropy and its Applications Igor Carboni Oliveira We summarize the constructions of PRGs from OWFs discussed so far and introduce the
More informationThe Exact Round Complexity of Secure Computation
The Exact Round Complexity of Secure Computation Sanjam Garg 1, Pratyay Mukherjee, 1 Omkant Pandey 2, Antigoni Polychroniadou 3 1 University of California, Berkeley {sanjamg,pratyay85}@berkeley.edu 2 Drexel
More informationFrom Secure MPC to Efficient Zero-Knowledge
From Secure MPC to Efficient Zero-Knowledge David Wu March, 2017 The Complexity Class NP NP the class of problems that are efficiently verifiable a language L is in NP if there exists a polynomial-time
More informationA Transform for NIZK Almost as Efficient and General as the Fiat-Shamir Transform Without Programmable Random Oracles
A Transform for NIZK Almost as Efficient and General as the Fiat-Shamir Transform Without Programmable Random Oracles Michele Ciampi DIEM University of Salerno ITALY mciampi@unisa.it Giuseppe Persiano
More informationImpossibility Results for Universal Composability in Public-Key Models and with Fixed Inputs
Impossibility Results for Universal Composability in Public-Key Models and with Fixed Inputs Dafna Kidron Yehuda Lindell June 6, 2010 Abstract Universal composability and concurrent general composition
More informationHomework 3 Solutions
5233/IOC5063 Theory of Cryptology, Fall 205 Instructor Prof. Wen-Guey Tzeng Homework 3 Solutions 7-Dec-205 Scribe Amir Rezapour. Consider an unfair coin with head probability 0.5. Assume that the coin
More informationOn Round-Efficient Argument Systems
On Round-Efficient Argument Systems Hoeteck Wee Computer Science Division UC Berkeley Abstract. We consider the problem of constructing round-efficient public-coin argument systems, that is, interactive
More informationOn The (In)security Of Fischlin s Paradigm
On The (In)security Of Fischlin s Paradigm PRABHANJAN ANANTH Microsoft Research India prabhanjan.va@gmail.com RAGHAV BHASKAR Microsoft Research India rbhaskar@microsoft.com VIPUL GOYAL Microsoft Research
More information6.897: Advanced Topics in Cryptography. Lecturer: Ran Canetti
6.897: Advanced Topics in Cryptography Lecturer: Ran Canetti Focus for first half (until Spring Break): Foundations of cryptographic protocols Goal: Provide some theoretical foundations of secure cryptographic
More informationOn the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner 1,,AlonRosen 2,, and Ronen Shaltiel 3, 1 Microsoft Research, New England Campus iftach@microsoft.com 2 Herzliya Interdisciplinary
More informationLeakage-Resilient Zero Knowledge
Leakage-Resilient Zero Knowledge Sanjam Garg Abhishek Jain Amit Sahai UCLA Abstract In this paper, we initiate a study of zero knowledge proof systems in the presence of sidechannel attacks. Specifically,
More informationPerfect Zero-Knowledge Arguments for NP Using any One-Way Permutation
Perfect Zero-Knowledge Arguments for NP Using any One-Way Permutation Moni Naor Rafail Ostrovsky Ramarathnam Venkatesan Moti Yung Abstract Perfect zero-knowledge arguments is a cryptographic primitive
More informationRound Efficiency of Multi-Party Computation with a Dishonest Majority
Round Efficiency of Multi-Party Computation with a Dishonest Majority Jonathan Katz Rafail Ostrovsky Adam Smith May 2, 2003 Abstract We consider the round complexity of multi-party computation in the presence
More informationFounding Cryptography on Smooth Projective Hashing
Founding Cryptography on Smooth Projective Hashing Bing Zeng a a School of Software Engineering, South China University of Technology, Guangzhou, 510006, China Abstract Oblivious transfer (OT) is a fundamental
More informationProtocols for Multiparty Coin Toss with a Dishonest Majority
Protocols for Multiparty Coin Toss with a Dishonest Maority Amos Beimel Department of Computer Science Ben Gurion University Be er Sheva, Israel Eran Omri Department of Computer Science and Mathematics
More informationA Note on the Cramer-Damgård Identification Scheme
A Note on the Cramer-Damgård Identification Scheme Yunlei Zhao 1, Shirley H.C. Cheung 2,BinyuZang 1,andBinZhu 3 1 Software School, Fudan University, Shanghai 200433, P.R. China {990314, byzang}@fudan.edu.cn
More informationMagic Functions. In Memoriam Bernard M. Dwork
Magic Functions In Memoriam Bernard M. Dwork 1923 1998 Cynthia Dwork Moni Naor Omer Reingold Larry Stockmeyer Abstract We prove that three apparently unrelated fundamental problems in distributed computing,
More informationAn Identification Scheme Based on KEA1 Assumption
All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to
More informationGeneric and Practical Resettable Zero-Knowledge in the Bare Public-Key Model
Generic and ractical Resettable Zero-Knowledge in the Bare ublic-key Model Moti Yung 1 and Yunlei Zhao 2 1 RSA Laboratories and Department of Computer Science, Columbia University, New York, NY, USA. moti@cs.columbia.edu
More informationConstant-Round Coin-Tossing With a Man in the Middle or Realizing the Shared Random String Model
Constant-Round Coin-Tossing With a Man in the Middle or Realizing the Shared Random String Model Boaz Barak May 19, 2008 Abstract We construct the first constant-round non-malleable commitment scheme and
More informationInteractive and Noninteractive Zero Knowledge Coincide in the Help Model
Interactive and Noninteractive Zero Knowledge Coincide in the Help Model Dragos Florin Ciocan and Salil Vadhan School of Engineering and Applied Sciences Harvard University Cambridge, MA 02138 ciocan@post.harvard.edu,
More informationCRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16
CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16 Groth-Sahai proofs helger lipmaa, university of tartu UP TO NOW Introduction to the field Secure computation protocols Interactive zero knowledge from Σ-protocols
More informationLecture 13: Seed-Dependent Key Derivation
Randomness in Cryptography April 11, 2013 Lecture 13: Seed-Dependent Key Derivation Lecturer: Yevgeniy Dodis Scribe: Eric Miles In today s lecture, we study seeded key-derivation functions (KDFs) in the
More informationZero-Knowledge Proofs and Protocols
Seminar: Algorithms of IT Security and Cryptography Zero-Knowledge Proofs and Protocols Nikolay Vyahhi June 8, 2005 Abstract A proof is whatever convinces me. Shimon Even, 1978. Zero-knowledge proof is
More informationLecture 7: CPA Security, MACs, OWFs
CS 7810 Graduate Cryptography September 27, 2017 Lecturer: Daniel Wichs Lecture 7: CPA Security, MACs, OWFs Scribe: Eysa Lee 1 Topic Covered Chosen Plaintext Attack (CPA) MACs One Way Functions (OWFs)
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police
More informationOn the Security of Classic Protocols for Unique Witness Relations
On the Security of Classic Protocols for Unique Witness Relations Yi Deng 1,2, Xuyang Song 1,2, Jingyue Yu 1,2, and Yu Chen 1,2 1 State Key Laboratory of Information Security, Institute of Information
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationRound Efficiency of Multi-Party Computation with a Dishonest Majority
Round Efficiency of Multi-Party Computation with a Dishonest Majority Jonathan Katz 1, Rafail Ostrovsky 2, and Adam Smith 3 1 Dept. of Computer Science, University of Maryland, College Park, MD. jkatz@cs.umd.edu
More informationCS151 Complexity Theory. Lecture 13 May 15, 2017
CS151 Complexity Theory Lecture 13 May 15, 2017 Relationship to other classes To compare to classes of decision problems, usually consider P #P which is a decision class easy: NP, conp P #P easy: P #P
More informationAnalysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh
Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh Bruno Produit Institute of Computer Science University of Tartu produit@ut.ee December 19, 2017 Abstract This document is an analysis
More informationPrecise Zero Knowledge
Precise Zero Knowledge Silvio Micali Rafael Pass December 1, 2007 Abstract We put forward the notion of Precise Zero Knowledge and provide its first implementations in a variety of settings under standard
More informationExecutable Proofs, Input-Size Hiding Secure Computation and a New Ideal World
Executable Proofs, Input-Size Hiding Secure Computation and a New Ideal World Melissa Chase 1(B), Rafail Ostrovsky 2, and Ivan Visconti 3 1 Microsoft Research, Redmond, USA melissac@microsoft.com 2 UCLA,
More information(Nearly) round-optimal black-box constructions of commitments secure against selective opening attacks
(Nearly) round-optimal black-box constructions of commitments secure against selective opening attacks David Xiao 12 dxiao@liafa.fr 1 LIAFA, Université Paris 7, 75205 Paris Cedex 13, France 2 Université
More information6.897: Selected Topics in Cryptography Lectures 7 and 8. Lecturer: Ran Canetti
6.897: Selected Topics in Cryptography Lectures 7 and 8 Lecturer: Ran Canetti Highlights of past lectures Presented a basic framework for analyzing the security of protocols for multi-party function evaluation.
More informationFast Large-Scale Honest-Majority MPC for Malicious Adversaries
Fast Large-Scale Honest-Majority MPC for Malicious Adversaries Koji Chida 1, Daniel Genkin 2, Koki Hamada 1, Dai Ikarashi 1, Ryo Kikuchi 1, Yehuda Lindell 3, and Ariel Nof 3 1 NTT Secure Platform Laboratories,
More informationLecture 10: Zero-Knowledge Proofs
Lecture 10: Zero-Knowledge Proofs Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Some of these slides are based on note by Boaz Barak. Quo vadis? Eo Romam
More informationZero Knowledge and Soundness are Symmetric
Zero Knowledge and Soundness are Symmetric Shien Jin Ong and Salil Vadhan School of Engineering and Applied Sciences Harvard University Cambridge, Massachusetts, USA {shienjin,salil}@eecs.harvard.edu Abstract.
More informationEfficient Zero-Knowledge for NP from Secure Two-Party Computation
Efficient Zero-Knowledge for NP from Secure Two-Party Computation Hongda Li 1,2, Dongxue Pan 1,2, Peifang Ni 1,2 1 The Data Assurance and Communication Security Research Center, Chinese Academy of Sciences,
More informationBlack-Box, Round-Efficient Secure Computation via Non-Malleability Amplification
Black-Box, Round-Efficient Secure Computation via Non-Malleability Amplification Hoeteck Wee Queens College, CUNY hoeteck@cs.qc.cuny.edu Abstract. We present round-efficient protocols for secure multi-party
More informationSoundness in the Public-Key Model
Soundness in the Public-Key Model Silvio Micali and Leonid Reyzin Laboratory for Computer Science Massachusetts Institute of Technology Cambridge, MA 02139 reyzin@theory.lcs.mit.edu http://theory.lcs.mit.edu/~reyzin
More information